Hi, I have a 3 interface FW like this: http://shorewall.greshko.com/GSLUG_files/slide0008_image004.png where I use PROXYARP to give the servers in DMZ an IP from our public IP range. A bit like this: http://shorewall.greshko.com/GSLUG_files/slide0042_image026.png proxyarp: xxx.23.52.145 eth1 eth0 - yes xxx.23.52.146 eth1 eth0 - yes xxx.23.52.147 eth1 eth0 - yes xxx.23.52.148 eth1 eth0 - yes xxx.23.52.149 eth1 eth0 - yes etc This works fine, all my servers in DMZ can be addressed by their own IP address just fine, but if I go to something like : http://www.whatismyip.com/ from one of the servers, it always shows my FW IP address, instead of the each server''s IP address. Do you have any idea why this is? I don''t think I am running a caching proxy on the FW, not sure where to check that though... Thanks for any suggestions, Richard.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Richard Bennett wrote: | Hi, | | I have a 3 interface FW like this: | http://shorewall.greshko.com/GSLUG_files/slide0008_image004.png | | where I use PROXYARP to give the servers in DMZ an IP from our public IP | range. | A bit like this: | http://shorewall.greshko.com/GSLUG_files/slide0042_image026.png | | proxyarp: | xxx.23.52.145 eth1 eth0 - yes | xxx.23.52.146 eth1 eth0 - yes | xxx.23.52.147 eth1 eth0 - yes | xxx.23.52.148 eth1 eth0 - yes | xxx.23.52.149 eth1 eth0 - yes | etc | | This works fine, all my servers in DMZ can be addressed by their own IP | address just fine, but if I go to something like : | http://www.whatismyip.com/ | from one of the servers, it always shows my FW IP address, instead of the each | server''s IP address. | | Do you have any idea why this is? | I don''t think I am running a caching proxy on the FW, not sure where to check | that though... I suspect that in spite of numerous warnings to the contrary that you based your firewall on the three-interface sample configuration (even though you have multiple public IP addresses) and that you failed to remove the DMZ entry from /etc/shorewall/masq. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBGV+dO/MAbZfjDLIRAt/bAKC3bH9CBL6w3xexfA0iD83/g9T/ygCcCrkt +sBeE1jdXeTGiUn5AYJUMCA=1kAN -----END PGP SIGNATURE-----
On Wednesday 11 August 2004 01:51, Tom Eastep wrote:> I suspect that in spite of numerous warnings to the contrary that you > based your firewall on the three-interface sample configuration (even > though you have multiple public IP addresses)Ha ha, yes, there was a certain amount of trial and error involved in getting this running, and it was done based on several different sample configs, as none matched our exact situation. ( a /30 and a /28 combined, the /30 on NET, the /28 on DMZ, and a regular internal network on LOC)> and that you failed to > remove the DMZ entry from /etc/shorewall/masq.Yep, that solved the problem. Thanks a lot. Richard.> > -Tom